Guest Column
| September 21, 2018

Taking A Phased Approach To Plug Cybersecurity Gaps

By Ray Tam, Trace3

We seem to be bombarded by daily news reports about the dangers of the latest hacking attacks, phishing attempts, and data breaches. The rapidly evolving security landscape poses a big challenge for solutions providers to help clients establish and update their security defense.

CISOs and security managers are especially concerned about gaps in their security controls, which are hampered by ongoing shortages of resources and the expertise needed to safeguard their assets. Given the scope of this problem, many security teams are uncertain about where to begin and how to proceed. We advise taking a phased approach to plug the most important security gaps first. Then security leaders can mature their security program as new threat vectors emerge.

Remember that security is really a journey instead of a destination, so you probably can’t solve everything at once with a big bang approach anyway. For this reason, it is best to start with the fundamentals by leveraging a security framework, maturity model, and common language for your team to assess your most pressing risks, vulnerabilities, and controls based on industry best practices. Implement the most critical and foundational solutions to address areas with the highest risk first, and then roll out a more comprehensive integrated security platform over time.

We recommend our clients to first focus on the most critical business objectives for the organization such as patient safety and privacy if it is a hospital, customer data protection or monetary frauds for financial company. Once you have a better understanding on what to protect, you might then create an inventory of your critical assets and corresponding security controls that you have already deployed and identifying the effectiveness of these controls, along with a list of gaps that may require further attention. A good reference point is to consult the NIST Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology. This framework consists of a comprehensive set of standards, guidelines, and best practices to manage cybersecurity-related risks.

The Cybersecurity Framework provides a flexible, cost-effective approach to promote the protection of digital assets and critical infrastructure. As businesses adopt innovative technologies to drive speed to market and create a competitive advantage, their security postures associated with the goals to reduce business risks must be measured constantly. Therefore, by following CSF, your team should be able to easily evaluate the current and future states of your security program across about 100 subcategories, and to compare your progress against similar organizations in your industry. Again, make sure you rank these subcategories to stay focused on your top priority and most critical assets.

Getting security right requires a continuous, ongoing effort because the hackers will always invent clever new ways to penetrate computer defenses through sneaky back-door entries, malicious software apps, phony web pages, and fake browser extensions. Of course, there also will be social engineering attacks that take advantage of good old-fashioned human emotions such as trust, fear, and greed as well. That’s why something as basic as staff security trainings are still so essential even though your organization might have the most powerful security controls in place. In fact, people are still the weakest security link.

We know that countless security concerns threaten us out in the wild these days. After all, the bad guys are always hatching new ways to undermine security protections. In the end, the best way to defend against these attacks is to take a phased approach by progressively rolling out new solutions through a cohesive and integrated strategic plan.

About The Author

Ray Tam is Vice President – Security for Trace3, a pioneer in business transformation solutions.